mTLS setup error #16000
Description
I started seeing an exception in my local environment, after the recent mtls changes. It looks like the auth library is trying to read /etc/gcloud/certificate_config.json, but raising an exception because it's not in the proper format. My understanding was that the mTLS functionality was meant to fail silently
File "/tmp/speech_repro/repro.py", line 15, in <module>
asyncio.run(repro())
~~~~~~~~~~~^^^^^^^^^
File "/home/sanche/.pyenv/versions/3.14.2/lib/python3.14/asyncio/runners.py", line 204, in run
return runner.run(main)
~~~~~~~~~~^^^^^^
File "/home/sanche/.pyenv/versions/3.14.2/lib/python3.14/asyncio/runners.py", line 127, in run
return self._loop.run_until_complete(task)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
File "/home/sanche/.pyenv/versions/3.14.2/lib/python3.14/asyncio/base_events.py", line 719, in run_until_complete
return future.result()
~~~~~~~~~~~~~^^
File "/tmp/speech_repro/repro.py", line 10, in repro
client = speech_v2.SpeechAsyncClient()
File "/home/sanche/.pyenv/versions/3.14.2/lib/python3.14/site-packages/google/cloud/speech_v2/services/speech/async_client.py", line 280, in __init__
self._client = SpeechClient(
~~~~~~~~~~~~^
credentials=credentials,
^^^^^^^^^^^^^^^^^^^^^^^^
...<2 lines>...
client_info=client_info,
^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/home/sanche/.pyenv/versions/3.14.2/lib/python3.14/site-packages/google/cloud/speech_v2/services/speech/client.py", line 813, in __init__
self._transport = transport_init(
~~~~~~~~~~~~~~^
credentials=credentials,
^^^^^^^^^^^^^^^^^^^^^^^^
...<7 lines>...
api_audience=self._client_options.api_audience,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/home/sanche/.pyenv/versions/3.14.2/lib/python3.14/site-packages/google/cloud/speech_v2/services/speech/transports/grpc_asyncio.py", line 280, in __init__
cert, key = client_cert_source_for_mtls()
~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/home/sanche/Documents/python_repos/google-auth-library-python/google/auth/transport/mtls.py", line 73, in callback
_, cert_bytes, key_bytes = _mtls_helper.get_client_cert_and_key()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/home/sanche/Documents/python_repos/google-auth-library-python/google/auth/transport/_mtls_helper.py", line 412, in get_client_cert_and_key
has_cert, cert, key, _ = get_client_ssl_credentials(generate_encrypted_key=False)
~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/sanche/Documents/python_repos/google-auth-library-python/google/auth/transport/_mtls_helper.py", line 361, in get_client_ssl_credentials
cert, key = _get_workload_cert_and_key(certificate_config_path)
~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/sanche/Documents/python_repos/google-auth-library-python/google/auth/transport/_mtls_helper.py", line 130, in _get_workload_cert_and_key
cert_path, key_path = _get_workload_cert_and_key_paths(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
certificate_config_path, include_context_aware
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/home/sanche/Documents/python_repos/google-auth-library-python/google/auth/transport/_mtls_helper.py", line 195, in _get_workload_cert_and_key_paths
raise exceptions.ClientCertError(
...<3 lines>...
)
google.auth.exceptions.ClientCertError: Certificate config file /etc/gcloud/certificate_config.json is in an invalid format, a "workload" cert config is expected